Lexis Practice Advisor®Free Trial
Register to request a downloadable copy
Learn More AboutLexis Practice Advisor®
By Mark W. Brennan, Hogan Lovells US LLP
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 15 U.S.C. §§ 7701–7713, imposes a number of detailed requirements on persons and entities that initiate and send commercial e-mail messages. Complying with the CAN-SPAM Act is crucial, as the failure to do so may lead to regulatory scrutiny, steep fines of up to $16,000 per violation, and significant public relations and reputational consequences.
This article will discuss what persons and entities are subject to the CAN-SPAM Act (i.e. “initiators” and “senders”); what types of messages are considered commercial and thus subject to the Act; the various CAN-SPAM requirements for commercial e-mail messages, including for sexually-oriented messages and messages sent to wireless devices; enforcement; preemption; and best practices for compliance.
The CAN-SPAM Act applies to any person or business entity that initiates or sends a commercial e-mail message to a business or individual consumer (regardless of whether the message is unsolicited). Commercial e-mail messages must generally comply with the following requirements:
A commercial e-mail message is defined as any e-mail that has a “primary purpose of . . . commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).”2
The CAN-SPAM Act is enforced primarily by the Federal Trade Commission (FTC), which can seek civil penalties of up to $16,000 per violation (with no maximum penalty). The CAN-SPAM Act may also be enforced, in certain circumstances, by various other federal agencies (including the Federal Communications Commission (FCC)), state attorneys general, and Internet Service Providers (ISPs). There is no private right of action.
The CAN-SPAM Act applies to initiators and senders of commercial e-mail messages, with different requirements applicable to each. ). The definition of each term is discussed in further detail below, along with the related issues of CAN-SPAM liability with respect to multiple senders and forward-to-a-friend e-mail marketing campaigns.
A person or entity initiates a commercial e-mail message by:
Initiators of commercial e-mail messages must comply with all aspects of CAN-SPAM (except for certain opt-out requirements that apply only to senders). For more on these requirements, see Commercial Message Requirements (Initiators), below.
Note that the definition of initiate does not include actions that constitute routine conveyance—i.e., transmitting, routing, or storing e-mails through an automatic technical process (if another person has identified the recipients or provided the recipients’ addresses).4
A sender is an initiator whose own product, service, or Internet website is advertised or promoted in a commercial e-mail message.5 Senders of commercial e-mails must process and honor opt-out requests, and the sender’s valid physical postal address must be included in such e-mails.
Given the above definitions, note that commercial e-mails may have multiple initiators and senders. For instance, if a company engages a marketing affiliate to send commercial e-mails advertising the company’s products, both the company and the affiliate would be considered initiators under CAN-SPAM.
The affiliate is an initiator because it transmits the e-mail, while the company is an initiator because it procures the transmission of the e-mail. The company would also be considered a sender under CAN-SPAM because it is an initiator whose products are also advertised in the e-mail.6
If multiple persons’ and/or entities’ products, services, or websites are advertised or promoted in a single message (common in joint marketing campaigns), each person or entity is considered a sender for purposes of CAN-SPAM Act compliance, unless:
If each of the above is satisfied, then only the designated sender need comply with the CAN-SPAM requirements applicable to senders (processing and honoring opt-out requests, valid physical postal address). Otherwise, all of the persons/entities must comply.
Note, however, that even if a particular person/entity is designated as the sender, the non-senders are still considered initiators and must comply with all of the CAN-SPAM requirements applicable to initiators.
To guard against potential liability (e.g., if the designated sender fails to comply with the various CAN-SPAM requirements), persons/entities involved in joint marketing campaigns or similar arrangements should ensure that the relevant contracts specify which party is required to comply with the CAN-SPAM Act and the remedies for non-compliance. Such persons/entities should also audit all third-party service providers and marketing affiliates on a regular basis to help ensure compliance.
Companies commonly participate in forward-to-a-friend e-mail marketing campaigns (i.e., campaigns encouraging consumers to forward e-mails that advertise or promote the company’s products). Such campaigns are typically conducted via one of the following methods:
A company is considered both an initiator and sender under CAN-SPAM if it “procures” the origination or transmission of the forwarded e-mail by:
However, merely encouraging a consumer to forward a message, without more, is permissible and will not subject a company to CAN-SPAM liability.10
The FTC has also indicated that consumers who forward commercial messages—without being offered any consideration or inducement—are not subject to CAN-SPAM (even though they would technically be considered initiators under a strict reading of the statute). 11
The main requirements of the CAN-SPAM Act only apply to commercial e-mail messages. As such, the first step in assessing CAN-SPAM Act compliance is to determine whether a particular e-mail message is commercial or, instead, a transactional or relationship message or other type of message (to which CAN-SPAM generally does not apply).
When conducting this inquiry:
If the message is commercial, then you must comply with all of CAN-SPAM’s requirements. If the message is a transactional or relationship message (as discussed below), you need only ensure that the message does not contain false or misleading header information.
To determine whether an e-mail message contains any transactional or relationship content, assess whether the message does one or more of the following:
If the message contains any of the above information and no commercial content, then it is considered a transactional or relationship message.14
Transactional or relationship messages may not contain false or misleading header information (i.e., the “From,” “To,” “Reply To,” and routing information, including the originating domain name and e-mail address).15 However, such messages are otherwise exempt from the CAN-SPAM Act’s more detailed requirements.
If a message contains both commercial content and transactional or relationship content (as discussed above), assess whether the message’s primary purpose is commercial under 16 C.F.R. § 316.3(a)(2). Such messages have a commercial primary purpose if either:
If the message is commercial, then you must comply with all of CAN-SPAM’s requirements.
If a message contains both commercial content and non-transactional or non-relationship content, assess whether the message’s primary purpose is commercial under 16 C.F.R. § 316.3(a)(3). Such messages have a commercial primary purpose if either:
The following factors are relevant to the analysis:
Any person or entity that initiates a commercial e-mail message (i.e., a message with a primary purpose of commercial advertisement or promotion of a commercial product or service) must comply with the following requirements under CAN-SPAM:
Each of these requirements is discussed in further detail below. Note that separate requirements apply to senders of commercial e-mail messages – see Commercial Message Requirements later in this article.
The CAN-SPAM Act prohibits the transmission of a commercial e-mail message or a transactional or relationship message that contains materially false or misleading header information. This is the only requirement that applies to both commercial and transactional or relationship messages.
To comply with this aspect of CAN-SPAM, header information (i.e., the “From,” “To,” “Reply To,” and routing information, including the originating domain name and e-mail address) must be accurate and must clearly identify the person who initiated the message.20
The CAN-SPAM Act prohibits the transmission of commercial e-mails with deceptive subject lines. A subject line is deceptive if the initiator of the message had actual knowledge (or knowledge fairly implied on the basis of objective circumstances) that the subject line would be likely to mislead the recipient about a material fact regarding either:
To comply with this aspect of CAN-SPAM, the subject line must accurately describe the content of the e-mail (e.g., by using Advertising, ADV, or similar language).
Commercial e-mails must clearly explain how the recipient can opt out of receiving future commercial messages from the sender via one of the following opt-out mechanisms:
If there is an opt-out menu offered, one menu option must allow a complete opt-out of all commercial messages from the sender.23
The opt-out mechanism must be functional for at least 30 days after the e-mail is sent. Note, however, that an unexpected, temporary inability to receive messages or process opt-out requests—due to a technical problem beyond the sender’s control—does not violate CAN-SPAM if the problem is corrected within a reasonable time period.24
To comply with this aspect of CAN-SPAM, opt-out notices must be clear and conspicuous, and all opt-out mechanisms must be functional. Businesses should therefore consider ways to make the opt-out notice stand out from other parts of the message, such as through font size, color use, or other formatting approaches. They should also test their opt-out mechanisms on a regular basis and promptly correct any issues.
The sender’s valid physical postal address must be included in a commercial e-mail message.25 To comply with this requirement, the message must include either of the following:
A commercial e-mail message must identify the message as an advertisement or solicitation (unless the recipient previously consented to receive the message).27
To comply with this requirement, the message must contain a clear and conspicuous notice that it is an advertisement or solicitation (unless the recipient previously opted in to receive such messages). The notice should be legible and stand out against the rest of the text, for example, by appearing in a larger font size or a different font and/or color.
To comply with CAN-SPAM, senders of commercial e-mail messages must:
Each issue is discussed in further detail below.
Senders of commercial e-mail messages (or those acting on behalf of a sender) may not require a recipient to do any of the following in order to submit an opt-out request or have such a request honored:
Once a recipient submits an opt-out request, the following applies:
To comply with these aspects of CAN-SPAM, senders should test their processes for opt-out requests on a regular basis and promptly correct any issues. Senders should also regularly assess their internal procedures for tracking and honoring opt-out requests (e.g., scrubbing mailing lists prior to sending any commercial e-mails) and, where appropriate, conduct audits for vendor compliance.
The sender’s valid physical postal address must be included in a commercial e-mail message.30 To comply with this requirement, the message must include any of the following:
Additional CAN-SPAM requirements apply to initiators of commercial e-mail messages that contain sexually-oriented material. Such material is defined as “any material that depicts sexually explicit conduct . . . unless the depiction constitutes a small and insignificant part of the whole, the remainder of which is not primarily devoted to sexual matters.”32
If a commercial e-mail contains sexually-oriented material, and the recipient has not previously consented to receive such messages, warning labels must appear in:
Note that the warning-label restrictions are in addition to the general CAN-SPAM requirements that are applicable to all commercial e-mails.
If a commercial e-mail contains sexually-oriented material, the subject line must include the warning “SEXUALLY-EXPLICIT:” in capital letters as the first 19 characters in the subject line (the colon and the space following the phrase are the 18th and 19th characters). The subject line may not include any sexually-oriented material.34
If a commercial e-mail contains sexually-oriented material, the body of the message must include the electronic equivalent of a “brown paper wrapper,” such that when the recipient opens the message, the only things initially viewable are:
The CAN-SPAM Act authorizes the FCC to regulate unwanted mobile service commercial messages (i.e., commercial e-mails sent to e-mail addresses associated with a wireless device, such as firstname.lastname@example.org).36 To that end, the FCC has enacted rules addressing such messages.
Among other things, the FCC rules:
Each of these issues is discussed in further detail below.
A person or entity may not initiate a mobile service commercial message without express prior authorization.37 This opt-in requirement is in contrast to the FTC’s opt-out requirements for commercial e-mail messages.
A mobile service commercial message is a commercial e-mail message “that is transmitted directly to a wireless device that is utilized by a subscriber of a commercial mobile service . . . in connection with such service.”38 An example would be a commercial e-mail message sent to email@example.com.
A commercial message is presumed to be a mobile-service commercial message “if it is sent or directed to any address containing a reference, whether or not displayed, to an Internet domain listed on the FCC’s wireless domain names list.”39 The list, available on the FCC’s website, is periodically updated by wireless carriers, per FCC regulations.40
There is no liability for sending a message where a domain has appeared on the FCC’s list for fewer than 30 days, so long as the person or entity does not knowingly initiate a mobile service commercial message.41
To ensure compliance with the rules, check the FCC’s wireless domain names list within 30 days of sending any commercial e-mails to addresses associated with a wireless device. If the domain at issue appears on the list, you must:
When requesting express prior authorization, an initiator of a mobile service commercial message must clearly disclose the following:
Express prior authorization may be obtained by oral or written means, including electronic methods. If written, the authorization must contain the recipient’s signature (or electronic signature, in accordance with the E-Sign Act).43
Mobile service commercial messages (if properly authorized) must include one or more opt-out mechanisms, such as a functional return e-mail address or other Internet-based mechanism (such as an opt-out link). The following rules also apply:
The opt-out mechanism(s) must be functional for at least 30 days after a message is sent, and all opt-out requests must be processed within 10 business days.45
To comply with this aspect of the FCC’s rules, opt-out notices must be clear and conspicuous, and all opt-out mechanisms must be functional. Businesses should therefore test their opt-out mechanisms (and their processes for tracking opt-out requests) on a regular basis and promptly correct any issues. They should also, where appropriate, conduct audits for vendor compliance.
While the CAN-SPAM Act is enforced primarily by the FTC, a host of federal and state agencies, along with Internet service providers (ISPs), also have authority to enforce the CAN-SPAM Act. There is no private right of action for consumers.
Penalties for violations vary based on which entity is enforcing the Act and may be enhanced in the case of aggravated violations. Criminal penalties may also be imposed by the Department of Justice (DOJ) in certain circumstances.
The various types of CAN-SPAM enforcement and penalties are discussed below.
The FTC has authority to enforce CAN-SPAM Act violations as unfair and deceptive trade practices under the FTC Act.46 The FTC can seek civil penalties of up to $16,000 per e-mail that violates CAN-SPAM, with no maximum penalty.47 The FTC may also seek injunctive relief.48
Other federal agencies have authority to enforce the CAN-SPAM Act against entities or activities that fall outside the scope of the FTC’s jurisdiction; such agencies include the Securities and Exchange Commission (SEC) and the FCC, among others. The penalties for non-compliance vary depending on the agency and the statutes/regulations at issue.49
State attorneys general and other state officials and agencies can bring claims for CAN-SPAM Act violations affecting state residents. Such agencies can seek to recover:
Aggravated violations are explained in detail later in this article.
ISPs can bring claims for certain CAN-SPAM Act violations (e.g., false or misleading header information, failure to place warning labels on commercial e-mails containing sexually-oriented material). ISPs can seek to recover:
Note that in actions brought by ISPs, the term procure (which bears on the definition of initiator) has a different meaning. Specifically, a person or entity that provides consideration to, or induces, another person to initiate a commercial e-mail on its behalf must have actual knowledge, or must consciously avoid knowing, that such person is engaging, or will engage, in a pattern or practice that violates the CAN-SPAM Act.52
In CAN-SPAM actions brought by ISPs or state attorneys general or other state agencies, statutory damage awards may be tripled if the defendant committed one or more of the following aggravated violations:
The DOJ may assess fines and/or up to five years’ imprisonment for knowing violations of the CAN-SPAM warning-label requirements for sexually-oriented material.54 The DOJ may also assess fines, up to five years’ imprisonment, and/or forfeitures for fraud and related activities in connection with e-mail.55
The CAN-SPAM Act preempts state laws that expressly regulate the use of e-mail to send commercial messages, except to the extent such laws prohibit “falsity or deception” in any portion of a commercial e-mail message.56 As such, states’ general consumer protection laws and similar laws are not preempted. Additionally, the Act expressly does not preempt:
The CAN-SPAM Act also has no effect on an ISP’s “adoption, implementation, or enforcement” of a policy of declining to transmit, route, handle, or store certain types of e-mail messages (e.g., spam policies).58
Research Path: Intellectual Property & Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
Mark W. Brennan is a partner in the Washington, D.C. office of Hogan Lovells US LLP, and his practice spans communications technology and privacy issues.
1See 15 U.S.C. § 7704. 2 15 U.S.C. § 7702(2)(A). 3 See15 U.S.C. § 7702(9),(12). 4 See 15 U.S.C. § 7702(15). 5 See 15 U.S.C. § 7702(16). 6 See 15 U.S.C. § 7702(9),(12),(16). 7 See16 C.F.R. § 316.2(m). 8 See Statement of Basis and Purpose, 73 FR 29654 (FTC May 21, 2008). 9 Id. 10 Id. 11 Id. 12 See15 U.S.C. § 7702(17)(A). 13 See15 U.S.C. § 7702(17)(A);16 C.F.R. § 316.3(c). 14 See 16 C.F.R. § 316.3(b). 15 See 15 U.S.C. § 7704(a)(1). 16 See 16 C.F.R. § 316.3(a)(2). 17 See16 C.F.R. § 316.3(a)(3). 181 See16 C.F.R. § 316.3(a)(3)(ii). 19 See generally 15 U.S.C. § 7704. 20 See 15 U.S.C. § 7704(a)(1). 21 See15 U.S.C. § 7704(a)(2). 22 See15 U.S.C. § 7704(a)(3)(A). 23 See 15 U.S.C. § 7704(a)(3)(B). 24 See 15 U.S.C. § 7704(a)(3)(C). 25 See 15 U.S.C. § 7704(a)(5)(A). 26 See 16 C.F.R. § 316.2(p). 27 See15 U.S.C. § 7704(a)(5)(A). 28 See16 C.F.R. § 316.5. 29 See 15 U.S.C. § 7704(a)(4)(A)(B). 30 See15 U.S.C. § 7704(a)(5)(A). 31 See 16 C.F.R. § 316.2(p). 32 See 15 U.S.C. § 7704(d)(4). 33 See 15 U.S.C. § 7704(d)(1),(2). 34 See 16 C.F.R. § 316.4(a)(1). 35 See 16 C.F.R. § 316.4(a)(2). 36 See generally 15 U.S.C. § 7712. 37 See 47 C.F.R. § 64.3100(a)(1). 38 See 47 C.F.R. § 64.3100(c)(7). 39 See 47 C.F.R. § 64.3100(c)(7). 40 See 47 C.F.R. § 64.3100(f). 41 See 47 C.F.R. § 64.3100(a)(4). 42 See 47 C.F.R. § 64.3100(d)(5). 43 See 47 C.F.R. § 64.3100(d)(1). 44 See 47 C.F.R. § 64.3100(b). 45 See 47 C.F.R. § 64.3100(b)(1), (6). 46 15 U.S.C. § 7706(a). 47 See 15 U.S.C. § 7706(d). 48 See 15 U.S.C. § 7706(e). 49 See 15 U.S.C. § 7706(b). 50 See 15 U.S.C. § 7706(f). 51 See 15 U.S.C. § 7706(g). 52 See 15 U.S.C. § 7706(g)(2). 53 See 15 U.S.C. § 7704(b),15 U.S.C. § 7706(f)(3)(C), 15 U.S.C. § 7706(g)(3)(C). 54 See 15 U.S.C. § 7704(d)(5). 55 See 18 U.S.C. § 1037. 56 See 15 U.S.C. § 7707(b)(1). 57 See 15 U.S.C. § 7707(b)(2). 58 See 15 U.S.C. § 7707(c).